Author Topic: Conficker - The Facts (Read 55549 times)

f0dder · « **Reply #25 on:** April 01, 2009, 12:41 AM »

~~Even with a proxy, you'd still be doing the DNS lookup locally - it's only the HTTP connection to the server that's going through the proxy.~~

app103 · « **Reply #26 on:** April 01, 2009, 12:54 AM »

Even with a proxy, you'd still be doing the DNS lookup locally - it's only the HTTP connection to the server that's going through the proxy.
-f0dder (April 01, 2009, 12:41 AM)

Wait, I connect to hidemyass.com and type in the url of my antivirus company and click the button. The proxy is using my DNS to find where that url is and not theirs? That just sounds weird, since the point to the proxy is to not connect to the url at all and let the proxy do it for you and forward the data to you.

Unless conficker is blocking your access to that particular proxy service, I don't see how or why it would fail to work.

Try it. Block access to download.eset.com in your hosts file, firewall or any other way you choose. Then put this url in the box at hidemyass.com and see if you get the file, paying close attention to where it says it is coming from: http://download.eset...ConfickerRemover.exe

Ehtyar · « **Reply #27 on:** April 01, 2009, 01:05 AM »

Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.
-f0dder (April 01, 2009, 12:32 AM)

Most of the big sites should work as they're on dedicated/load balanced boxes. For the smaller ones, you can use one of a number of methods to send a fake Host header.

Even with a proxy, you'd still be doing the DNS lookup locally - it's only the HTTP connection to the server that's going through the proxy.
-f0dder (April 01, 2009, 12:41 AM)

F0d Man, were you thinking of a proper proxy? App Lady is talking about a web proxy.

Ehtyar.

f0dder · « **Reply #28 on:** April 01, 2009, 01:40 AM »

Sorry guys, I hadn't had enough morning coffee when I typed that post - I was thinking of a transparent proxy rather than one of those manual proxies

J-Mac · « **Reply #29 on:** April 01, 2009, 01:54 AM »

Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.
-f0dder (April 01, 2009, 12:32 AM)

That is very true, but using a proxy like hidemyass.com would probably work, without the need of even trying the IP and using the actual URL that conficker is blocking. And yes, you can download removal tools through that proxy. I tested it.
-app103 (April 01, 2009, 12:38 AM)

That's a great tip, app. Thank you!

Jim

iphigenie · « **Reply #30 on:** April 01, 2009, 04:15 AM »

But did I get this right - anyone with a legal copy of windows (and that includes people with a legal copy of windows which they installed on several machines, or multiple times on one machine for testing/development purposes) who runs regular updates, is protected by free software, so the only people not protected are the people with pirate copies who don't also have a paid/pirated/free copy of a virus scanner.

Those people really deserve what they get, no?

f0dder · « **Reply #31 on:** April 01, 2009, 04:42 AM »

The people pirating Windows generally use a WGA hack, so they get updates just fine.

How long was the infection window open before a patch was released?

Ehtyar · « **Reply #32 on:** April 01, 2009, 05:26 AM »

But did I get this right - anyone with a legal copy of windows (and that includes people with a legal copy of windows which they installed on several machines, or multiple times on one machine for testing/development purposes) who runs regular updates, is protected by free software, so the only people not protected are the people with pirate copies who don't also have a paid/pirated/free copy of a virus scanner.
-iphigenie (April 01, 2009, 04:15 AM)

Incorrect. You can still be infected if using an easily guessed password or through using an infected USB memory stick. The update only protects you from infection over the internet.

Ehtyar.

nite_monkey · « **Reply #33 on:** April 01, 2009, 08:30 AM »

Luckely for me, my computer hates autorun anyways. I believe it only worked for like the first week I had windows installed, and then it just randomly stopped working. Now I need to go home and put a password on my computer's accounts, because I am stupid and don't use passwords on the admin account or my user account because I am stupid... and lazy.

Stoic Joker · « **Reply #34 on:** April 01, 2009, 09:26 AM »

This is a classic example of why the 80/20 Rule of Information Security works. ...And throwing (away) mountains of cash on system resource hogging "Baby-Sitter) security applications doesn't.

I have never had to do a major cleanup on a network where A. (80/20) was inforced and B. (baby-Sitter) was ignored. Now, I'm not advocation that folks run without AV, I'm just point to an all to commonly repeating pattern where most (if not all) of this could have been avoided if people just took a few minutes outa their day to do something that's completely free.

Edvard · « **Reply #35 on:** April 01, 2009, 10:21 AM »

So, it's April 1st...

Anything happening? (no reports in the news yet)

mwb1100 · « **Reply #36 on:** April 01, 2009, 11:13 AM »

So, it's April 1st...

Anything happening? (no reports in the news yet)

-Edvard (April 01, 2009, 10:21 AM)

I heard an ABC News radio report that they put an unprotected machine on Internet, and it got probed and compromised within a few minutes. To be honest, I'm not sure how different that might be from any other day on the Internet.

I'm sure that having a NAT router between you an the 'net would go a long way toward preventing the problem (though does having UPNP enabled on the router change that? - It came enabled by default on my most recent router.)

mwb1100 · « **Reply #37 on:** April 01, 2009, 11:16 AM »

post deleted...

Lashiec · « **Reply #38 on:** April 01, 2009, 12:36 PM »

So, it's April 1st...

Anything happening? (no reports in the news yet)
-Edvard (April 01, 2009, 10:21 AM)

Yeah, but at some point you can't tell if it's another joke or the real thing. What a date to choose to activate the worm... So far, everything seems all right, did not see any report other than Conficker becoming "self-aware".

What it bothers me is that browsing the Internet today is a major pain in the ass, because everything is loading much slower than it's normal. What's more, I've been trying to download a podcast during the last two hours, achieving some staggering download rates (2 KB per second), and the cablemodem took like 5 minutes to connect to the ISP this morning. I assume the Net is crumbling under the Conficker hammering, or perhaps it's just a particular problem with my provider.

Edvard · « **Reply #39 on:** April 01, 2009, 12:43 PM »

I haven't experienced any noticeable delays, so it must be your ISP.

Ehtyar · « **Reply #40 on:** April 01, 2009, 02:28 PM »

I'm sure that having a NAT router between you an the 'net would go a long way toward preventing the problem (though does having UPNP enabled on the router change that? - It came enabled by default on my most recent router.)
-mwb1100 (April 01, 2009, 11:13 AM)

Disabling UPNP is to prevent Conficker from spreading from your network only.

I'm surprised at the number of people who expected the skies to fall and the seas boil today. Wasn't my original post about that not happening? Anyway, just be sure to keep your current protections in place and be prepared for the update to occur sometime soon. If you ask me, an awful lot of work has gone into Conficker for its authors to forget about it now.

Ehtyar.

Edvard · « **Reply #41 on:** April 01, 2009, 02:44 PM »

While I certainly was not expecting doomsday, I was wondering if something was happening.

So far, it's done nothing but wake up and start resolving DNS's just like they said it would.

I'm with you Ehtyar, it's put together too well to turn out to be nothing. But what it will do, I am very interested in.

Ehtyar · « **Reply #42 on:** April 01, 2009, 02:59 PM »

Indeed!! I spent far too much time yesterday watching news updates in case there was news. I'd very much like to know what Conficker will morph into when its authors decide to get their act together, though I'm not surprised nothing happened yet, far too much media attention at the moment.

Ehtyar.

40hz · « **Reply #43 on:** April 01, 2009, 06:20 PM »

The people pirating Windows generally use a WGA hack, so they get updates just fine.
-f0dder (April 01, 2009, 04:42 AM)

That, or they just use any one of a number of freebie offline-WSUS apps you can find on the web. With these, they just grab all the updates off Microsoft's website and burn them to a DVD for use on multiple machines.

I'm 110% legal with everything (MS Partners don't dare screw around with that) but I still do all my MS updating via offline utilities.

app103 · « **Reply #44 on:** April 02, 2009, 03:30 PM »

Found this amusing little "eye chart" on friendfeed, for detecting if you are infected with Conficker:

http://www.conficker...test/cfeyechart.html

While it's not 100% foolproof detection, it would work in a lot of cases, providing you aren't using certain types of proxies.

Ehtyar · « **Reply #45 on:** April 02, 2009, 06:53 PM »

Why is it not foolproof? IMO that's a much easier way for users to detect to Conficker than attempting to download a tool from a site that Conficker blocks.

I nearly hit the roof at work this morning when we got an email from the higher-ups about Conficker, suggesting that if you believe you're infected you download a cleaning utility from Microsoft or Symantec, both of which are blocked by Conficker. Would common sense not tell you to have users check for infection by attemping to access, say, microsoft.com and then if they have issues, provide a URL that Conficker doesn't block from which to download your removal tool. What the hell is wrong with these people?

Ehtyar.

[edit]
Now that my ranting impulse has been satisfied, thanks for the link App

[/edit]

Stoic Joker · « **Reply #46 on:** April 03, 2009, 07:25 AM »

Why is it not foolproof? IMO that's a much easier way for users to detect to Conficker than attempting to download a tool from a site that Conficker blocks.

I nearly hit the roof at work this morning when we got an email from the higher-ups about Conficker, suggesting that if you believe you're infected you download a cleaning utility from Microsoft or Symantec, both of which are blocked by Conficker. Would common sense not tell you to have users check for infection by attemping to access, say, microsoft.com and then if they have issues, provide a URL that Conficker doesn't block from which to download your removal tool. What the hell is wrong with these people?

Ehtyar.

-Ehtyar (April 02, 2009, 06:53 PM)

You think that's bad...? ...Symantec had a big banner on their main page yesterday morning that said "Not sure if you're infected with the April 1st bug? For more information click here".

What more information?!? ... (I'm guessing lame sales pitch/I never checked) ... How about just saying "If you can read this you are ok."? It would make more sense, now wouldn't it?

Ehtyar · « **Reply #47 on:** April 03, 2009, 03:00 PM »

Yeah, so true. My boss was on McAfee for whatever reason yesterday, and they were doing exactly the same thing. It's always such a disappointment when companies take advantage of consumers' ignorance like that.

Ehtyar.

Ehtyar · « **Reply #48 on:** April 05, 2009, 07:02 AM »

I found this just now and thought it might be useful. It is a scanner, written by Team White Hat (Dan Kaminsky's crew) in python that should detect Conficker-infected machines.

The scanner can be downloaded as an independent package that can be run without python:
http://iv.cs.uni-bon...ds/media/scs_exe.zip
Simply extract the package and run 'scs <start-ip> <end-ip>' to scan an entire IP range, or 'scs <ip-list-file>' to scan a text file containing a list of IPs to scan. You can also run 'scanner <ip>' to scan a single IP address.
If you're handy with python you can download the source script (it requires the Impacket lib):
http://iv.cs.uni-bon...ploads/media/scs.zip
More info is available at:
http://iv.cs.uni-bon...ontaining-conficker/

Hope these help out in some way.

Ehtyar.

Shook · « **Reply #49 on:** April 05, 2009, 05:17 PM »

I just can't help wondering if anything actually happened at the time/date where people were all "OH SNAP WE'RE GOING TO BE BLASTED BY CONFICKER"? I mean, in my everyday, i've literally seen nothing regarding this Conficker, and the Danish news are usually eager to pounce on any major (bad) news outside Denmark, especially one like this of such potential magnitude. (Say that 10 times fast >.>)
The most i've seen of it is sporadic threads on forums here and there, but nothing about if anything actually happened. People do say that bad things will happen, but so far, i've seen... Well, nothing. Personally, i'm starting to doubt the existence of this virus. Am i totally alone in this?